In this blog, we’ll discuss new tactics used in Hailstorm campaigns. These new tactics include infecting systems with a trojan for sending out spam, and leveraging a single system for hosting a large number of sites in which spam recipients are directed towards.  Investigating one such system, we uncovered 11,769 hostnames with 1,719 domains (2LD+TLD), each of which may serve spam content. 

In this analysis of the campaign we’ll combine a mixture of methods from DNS traffic analysis, malware hunting, and sandbox analysis to expand our coverage.

Below you’ll find sections including:

  1. Traffic Analysis: Looking more closely at the hosting IPs popularity.
  2. Hunting: Having identified a hosting IP, we pivot through the hostnames identifying new hosting IPs and registrants.
  3. Analyzing: Statistical properties in the distribution of subdomains.
  4. Malware Analysis: Analyzing related hashes and samples.

HOSTING IP POPULARITY

We were first notified of the hosting IP 95.31.22[.]193 having unusual volume of popularity within the last couple days. Below is an example of what we were seeing.

FIGURE: 95.31.22[.]193 popularity over the last three weeks.

In this plot, along with a more raw popularity, you see a 12-hour moving average to better capture the underlying trend. Notice, what piqued our interest is the larger than normal amount of popularity to this hosting IP in the last few days.

HAILSTORM DOMAINS AND HOSTNAMES

This hosting IP 95.31.22[.]193 was hosting confirmed hailstorm domains. For example:

vmiller.winnifredrobenia[.]win
barrie.winnifredrobenia[.]win
cdavila.winnifredrobenia[.]win
jeffunderwood.winnifredrobenia[.]win
jjefferson.winnifredrobenia[.]win
kenneth.winnifredrobenia[.]win
leonardperez.winnifredrobenia[.]win
Note: Additional domains at the bottom of the blog.

Now, these subdomains appear to be random words rather than random characters.

On this hosting IP alone you’ll find 11,769 hostnames made of 1,719 domains (2LD+TLD).  Below is the distribution of the number of subdomains per domain on this hosting IP.

 

              

 

FIGURE: Two histograms of the distribution of the number of subdomains to domains. LEFT: graph of all domains. RIGHT: graph of only domains with 5 or more subdomains (185 total domains).

 

THE NEW STORM

Once we found the hosting IP of these hailstorm domains, it was only the beginning.

This domain winnifredrobenia[.]win, which we observed hosted on the IP 95.31.22[.]193 was seen sent out in email messages we observed from analyzing this trojan in a sandbox environment;

SHA256: e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12

Spam email with a link to winnifredrobenia[.]win

FIGURE: Spam email with a link to winnifredrobenia[.]win

This trojan will enlist the infected host into the malicious actor’s spam botnet. This technique of sending spam from numerous network locations of infected hosts makes it difficult to stop entirely, since there is no central location of origin.

The file was dropped from pubsearch[.]ru which we have seen hosted on the IP 134.119.218[.]182.

This is yet another part of the Hailstorm infrastructure. This hosting IP is using the same tactic of registering many new subdomains on a daily basis.

example of Investigate view of LD2 and LD3 domains on hosting IP

FIGURE: Example of Investigate view of 2LD and 3LD domains on hosting IP

Cisco Umbrella continues to track these Hailstorm campaigns and their infrastructure through IP addresses, domains and email registrants.

IOCS

The below email registrants have registered domains associated with this wave of Hailstorm:

bossraz@ya[.]ru

veremeikom@gmail[.]com

andrejn797@gmail[.]com

fsn.vladimir@gmail[.]com

nbelikov11@gmail[.]com

radanatoliy@gmail[.]com

bossraz@yandex[.]net

alexstoiev123@gmail[.]com

darat@xrbox[.]com

A sample of IPs:

134.119.218[.]182

146.255.193[.]186

93.186.192[.]94

85.25.210[.]136

213.159.212[.]211

193.124.179[.]165

134.119.218[.]179

93.186.196[.]16

176.123.2[.]249

5.9.55[.]110

5.178.83[.]50

176.31.106[.]23

185.31.161[.]198

176.31.106[.]23

95.31.22[.]193

Hashes communicating with Hailstorm domains and IPs:

 

d938bd8ced1534ad6939d9e168e16f62dace7194829f1ef6f326ae911ee8e9a2

e68ca920c85b7f187273c85cdd943c46aaaed057f3bf82fdcd39edb83694740b

90c31a89a9a2c402c33e2199b906768b583d0ad11a1072ad5f2e2058e992a668

e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12

68fd651a697119b49942381382a7646931b1eea1e0b895ebaedb0b1d5eb0fcc2

 

A sample of domains:

www684.alanwinnifredrobenia[.]win
www878.andrea.winnifredrobenia[.]win
www521.arb.winnifredrobenia[.]win
www563.bdeese.winnifredrobenia[.]win
www585.bengel.winnifredrobenia[.]win
www.casey.winnifredrobenia[.]win
www274.charlesprice.winnifredrobenia[.]win
www283.cristobr.winnifredrobenia[.]win
www190.dmoultonwinnifredrobenia[.]win
www874.dmoultonwinnifredrobenia[.]win
www195.ealesmultotec.winnifredrobenia[.]win
www751.hcortez.winnifredrobenia[.]win
www868.ianclapp.winnifredrobenia[.]win
www729.jatkins.winnifredrobenia[.]win
www903.jonhunt.winnifredrobenia[.]win
www459.jstevens.winnifredrobenia[.]win
www821.jzhang.winnifredrobenia[.]win
www476.lj.winnifredrobenia[.]win
www456.lj.winnifredrobenia[.]win
www457.lj.winnifredrobenia[.]win
www504.lnunes.winnifredrobenia[.]win
www717.mike.winnifredrobenia[.]win
www935.mpennwinnifredrobenia[.]win
www996.nguyenconglap.winnifredrobenia[.]win
www118.nic.winnifredrobenia[.]win
www746.nic.winnifredrobenia[.]win
www934.nic.winnifredrobenia[.]win
www911.nick.winnifredrobenia[.]win
www300.obienichols.winnifredrobenia[.]win
www587.paul.winnifredrobenia[.]win
www828.peter.winnifredrobenia[.]win
www771.pistininzi.winnifredrobenia[.]win
www331.psimoslaw.winnifredrobenia[.]win
www920.richardbishop.winnifredrobenia[.]win
www214.roel.winnifredrobenia[.]win
www310.rsbr.winnifredrobenia[.]win
www336.vinnycarey.winnifredrobenia[.]win
www734.vinnycarey.winnifredrobenia[.]win
winnifredrobenia[.]win
bill.winnifredrobenia[.]win
dillingham.winnifredrobenia[.]win
dkey.winnifredrobenia[.]win
garywright.winnifredrobenia[.]win
jakedaigle.winnifredrobenia[.]win
josephhenthornwinnifredrobenia[.]win
liz.winnifredrobenia[.]win
makethecall.winnifredrobenia[.]win
mlkgoldens.winnifredrobenia[.]win
molloym.winnifredrobenia[.]win
nic.winnifredrobenia[.]win
ns1.winnifredrobenia[.]win
ns2.winnifredrobenia[.]win
pastorjeff.winnifredrobenia[.]win
patrick.winnifredrobenia[.]win
toolmanwinnifredrobenia[.]win
vmiller.winnifredrobenia[.]win
barrie.winnifredrobenia[.]win
cdavila.winnifredrobenia[.]win
jeffunderwood.winnifredrobenia[.]win
jjeffersonwinnifredrobenia[.]win
kenneth.winnifredrobenia[.]win
leonardperez.winnifredrobenia[.]win
matthelling.winnifredrobenia[.]win
mreed.winnifredrobenia[.]win
mshamimarainwinnifredrobenia[.]win
pdagrandrapids.winnifredrobenia[.]win
tbradford.winnifredrobenia[.]win
tembos.winnifredrobenia[.]win
www.winnifredrobenia[.]win
yukyw.winnifredrobenia[.]win
zbig.winnifredrobenia[.]win

This post is categorized in: